Try in Splunk Security Cloud

Description

This analytic is to detect a high frequency of file deletion relative to process name and process id /etc/ folder. These events was seen in acidrain wiper malware where it tries to delete all files in a non-standard directory in linux directory. This detection already contains some filter that might cause false positive during our testing. But we recommend to add more filter if needed.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-04-12
  • Author: Teoderick Contreras, Splunk
  • ID: 9d867448-2aff-4d07-876c-89409a752ff8

Annotations

ATT&CK
ID Technique Tactic
T1485 Data Destruction Impact
T1070.004 File Deletion Defense Evasion
T1070 Indicator Removal on Host Defense Evasion
Kill Chain Phase
  • Exploitation
NIST
  • DE.CM
CIS20
  • CIS 3
  • CIS 5
  • CIS 16
CVE
1
2
3
4
5
6
7
8
9
10
11
12
| tstats `security_content_summariesonly` values(Filesystem.file_name) as deletedFileNames values(Filesystem.file_path) as deletedFilePath dc(Filesystem.file_path) as numOfDelFilePath count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.action=deleted Filesystem.file_path = "/etc/*" by _time span=1h  Filesystem.dest Filesystem.process_guid Filesystem.action 
| `drop_dm_object_name(Filesystem)` 
|rename process_guid as proc_guid 
|join proc_guid, _time [ 
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.parent_process_name != unknown NOT (Processes.parent_process_name IN ("/usr/bin/dpkg", "*usr/bin/python*", "*/usr/bin/apt-*", "/bin/rm", "*splunkd", "/usr/bin/mandb")) by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_path Processes.process_guid 
| `drop_dm_object_name(Processes)` 
|rename process_guid as proc_guid 
| fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data registry_key_name action] 
| table  process_name process proc_guid action _time  deletedFileNames deletedFilePath numOfDelFilePath parent_process_name parent_process  process_path dest user 
| where  numOfDelFilePath >= 200 
| `linux_high_frequency_of_file_deletion_in_etc_folder_filter`

Macros

The SPL above uses the following Macros:

Note that linux_high_frequency_of_file_deletion_in_etc_folder_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time
  • Filesystem.dest
  • Filesystem.file_create_time
  • Filesystem.file_name
  • Filesystem.process_guid
  • Filesystem.file_path
  • Filesystem.action
  • Processes.dest
  • Processes.user
  • Processes.parent_process_name
  • Processes.parent_process
  • Processes.process_name
  • Processes.process_path
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id

How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.

Known False Positives

linux package installer/uninstaller may cause this event. Please update you filter macro to remove false positives.

Associated Analytic story

RBA

Risk Score Impact Confidence Message
49.0 70 70 a $process_name$ deleting multiple files in /etc/ folder in $dest$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1